Updated on September 9, 2020 at 12:23 am
I’ve been running an experiment with Windows 10 to capture all incoming and outgoing network traffic with capture beginning from the point of firing up the install. So just a default install and then wait and see what kind of data gets sent back to Microsoft. Anyway, that’s a whole other post to come.
I figured I was going to be firing up a port mirroring switch and need to capture ALL the network traffic coming off my Hyper-V server.
I somehow stumbled upon the ‘Port mirroring’ setting while looking for something else and had a ‘holy crap’ moment. Never knew this feature even existed.
This feature meant that I could limit my traffic capture to exactly the VMs I wanted without having to filter from a general network capture.
Anyway, the feature works like a champ and setup is super simple. Basically:
- Build a VM with your choice of network capture, in my case I fired up Linux and started tcpdump.
- Simply set the capture VM Mirroring mode to ‘Destination’ under Advanced Features for the network adapter. These settings are all under the general Settings window for that particular VM.
- Now for the VMs you want to capture the network traffic from, simply set the Mirroring mode to ‘Source’. One note, you can have multiple sources all firing packets at the destination VM.
- Ensure you have tcpdump fired up on the Destination VM, fire up your VMs that are set to Source and watch the packets flow in with tcpdump.
This is an endlessly useful feature especially if you are someone like myself who has most of his network infrastructure virtualized. No more messing with port mirroring switches or network taps (well… mostly).
Just one more reason I’m super happy with the switch I made a while back to Hyper-V from ESX.
Enjoy and happy packet capturing!